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Abstract. Multi-party contract signing (MFCS) protocols allow a group 
of signers to exchange signatures on a predefined contract. Previous ap¬ 
proaches considered either completely linear protocols or fully parallel 
broadcasting protocols. We introduce the new class of DAG MFCS pro¬ 
tocols which combines parallel and linear execution and allows for paral¬ 
lelism even within a signer role. This generalization is useful in practical 
applications where the set of signers has a hierarchical structure, such as 
chaining of service level agreements and subcontracting. 

Our novel DAG MPGS protocols are represented by directed acyclic 
graphs and equipped with a labeled transition system semantics. We 
define the notion of abort-chaining sequences and prove that a DAG 
MPGS protocol satisfies fairness if and only if it does not have an abort¬ 
chaining sequence. We exhibit several examples of optimistic fair DAG 
MPGS protocols. The fairness of these protocols follows from our theory 
and has additionally been verified with our automated tool. 

We define two complexity measures for DAG MPGS protocols, related 
to execution time and total number of messages exchanged. We prove 
lower bounds for fair DAG MPGS protocols in terms of these measures. 


1 Introduction 


A multi-party contract signing (MFCS) protocol is a communication protocol 
that allows a number of parties to sign a digital contract. The need for MFCS 
protocols arises, for instance, in the context of service level agreements (SLAs) 
and in supply chain contracting. In these domains (electronic) contract negotia¬ 
tions and signing are still mainly bilateral. Instead of negotiating and signing one 
multi-party contract, in practice, multiple bilateral negotiations are conducted 
in parallel 21 . Because negotiations can fail, parties may end up with just a 


subset of the pursued bilateral contracts. If a party is missing contracts with 
providers or subcontractors, it faces an overcommitment problem. If contracts 
with customers are missing, it has an overpurchasing problem . Both problems 
can be prevented by using fair multi-party contract signing protocols. 

Existing optimistic MFCS protocols come in two flavors. Linear MFCS pro¬ 
tocols require that at any point in time at most one signer has enough infor¬ 
mation to proceed in his role by sending messages to other signers. Broadcast 
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MFCS protocols specify a number of communication rounds in each of which 
all signers send or broadcast messages to each other. However, neither of the 
two kinds of protocols is suitable for SLAs or supply chain contracting. The rea¬ 
son is that in both domains, the set of contractors typically has a hierarchical 
structure, consisting of main contractors and levels of subcontractors. It is unde¬ 
sirable (and perhaps even infeasible) for the main contracting partners and their 
subcontractors to directly communicate with another partner’s subcontractors. 
This restriction immediately excludes broadcast protocols as potential solutions 
and forces linear protocols to be impractically large. 

In this paper we introduce MFCS protocol specihcations that support arbi¬ 
trary combinations of linear and parallel actions, even within a protocol role. 
The message flow of such protocols can be specified as a directed acyclic graph 
(DAG) and we therefore refer to them as DAG MFCS protocols. 

A central requirement for MFCS protocols is fairness. This means that either 
all honest signers get all signatures on the negotiated contract or nobody gets 
the honest signers’ signatures. It is well known that in asynchronous communi¬ 
cation networks, a deterministic MFCS protocol requires a trusted third party 
(TTF) to achieve fairness [^. In order to prevent the TTF from becoming a 
bottleneck, protocols have been designed in which the TTF is only involved to 
resolve conflicts. A conflict may occur if a message gets lost, if an external ad¬ 
versary interferes with the protocol, or if signers do not behave according to the 
protocol specification. If no conflicts occur, the TTF does not even have to be 
aware of the execution of the protocol. Such protocols are called optimistic [^. 
We focus on optimistic protocols in this paper. 

DAG MFCS protocols not only allow for better solutions to the subcon¬ 
tracting problem, but also have further advantages over linear and broadcast 
MFCS protocols and we design three novel MFCS protocols that demonstrate 
this. One such advantage concerns communication complexity. Linear protocols 
can reach the minimal number of messages necessary to be exchanged in fair 
MFCS protocols at the cost of a high number of protocol “rounds”. We call this 
the parallel complexity.^ which is a generalization of the round complexity mea¬ 
sure for broadcast protocols, and define it in Section [4)3l Conversely, broadcast 
protocols can attain the minimal number of protocol rounds necessary for fair 
MFCS, but at the cost of a high message complexity. We demonstrate that DAG 
MFCS protocols can simultaneously attain best possible order of magnitude for 
both complexity measures. 

As discussed in our related work section, the design of fair MFCS protocols 
has proven to be non-trivial and error-prone. We therefore not only prove our 
three novel DAG MFCS protocols to be fair, but we also derive necessary and 
sufficient conditions for fairness of any optimistic DAG MFCS protocol. These 
conditions can be implemented and verified automatically, but they are still non¬ 
trivial. Therefore, for a slightly restricted class of DAG protocols, we additionally 
derive a fairness criterion that is easy to verify. 

Contributions. Our main contributions are (i) the definition of a syntax and 
interleaving semantics of DAG MFCS protocols (Section |4.1[); (ii) the definition 
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of the message complexity and parallel complexity of such protocols (Section [43| ); 
(iii) a method to derive a full MFCS specihcation from a skeletal graph, including 
the TTP logic (Section]^; ( iv) necessary and sufficient conditions for fairness of 
DAG MFCS protocols (Section 5.3); (v) minimal complexity bounds for DAG 
MFCS protocols (Section [6A| ); (vi) novel fair MFCS protocols (SectionjC^; (vii) 
a software tool that verifies whether a given MFCS protocol is fair (described in 
Appendix 


2 Related Work 


We build on the body of work that has been published in the field of fair opti¬ 
mistic MFCS protocols in asynchronous networks. The first such protocols were 
proposed by Baum-Waidner and Waidner [^, viz. a round-based broadcast pro¬ 
tocol and a related round-based linear protocol. They showed subsequently 
that these protocols are round-optimal. This is a complexity measure that is re¬ 
lated to, but less general than, parallel complexity dehned in the present paper. 

Garay et al. introduced the notion of abuse-free contract signing. They 
developed the technique of private contract signature and used it to create 
abuse-free two-party and three-party contract signing protocols. Garay and Mac- 
Kenzie proposed MFCS protocols which were later shown to be unfair using 
the model checker Mocha and improved by Chadha et al. . Mukhamedov and 
Ryan [17| developed the notion of abort chaining attacks and used such attacks 
to show that Chadha et al.’s improved version does not satisfy fairness in cases 
where there are more than five signers. They introduced a new optimistic MFCS 
protocol and proved fairness for their protocol by hand and used the NuSMV 


model checker to verify the case of five signers. Zhang et al. 22 have used Mocha 


to analyze the protocols of Mukhamedov and Ryan and of Mauw et al. 15 


Mauw et al. 15 used the notion of abort chaining to establish a lower bound 


on the message complexity of linear fair MFCS protocols. This complexity mea¬ 
sure is generalized in the present paper to DAG MFCS protocols. Kordy and 


Radomirovic 10 have shown an explicit construction for fair linear MFCS proto¬ 


cols. The construction covers in particular the protocols proposed by Mukhame¬ 
dov and Ryan 17 and the linear protocol of Baum-Waidner and Waidner [^, 
but not the broadcast protocols. The DAG MFCS protocol model and fairness 
results developed in the present paper encompass both types of protocols. They 
allow for arbitrary combinations of linear and parallel behaviour (i.e. partial 
parallelism), and in addition allow for parallelism within signer roles. MFCS 
protocols combining linear and parallel behaviour have not been studied yet. 

Apart from new theoretical insights to be gained from designing and studying 
DAG MFCS protocols, we anticipate interesting application domains in which 
multiple parties establish a number of related contracts, such as SLAs. Emerging 
business models like Software as a Service require a negotiation to balance a 
customer’s requirements against a service provider’s capabilities. The result of 


^ The tool and models of our protocols are available at the following website: http: 
//people.inf.ethz.ch/rsasa/mpcs 
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such a negotiation is often complicated by the dependencies between several 
contracts 13 and multi-party protocols may serve to mitigate this problem. 
Karaenke and Kirn propose a multi-tier negotiation protocol to mitigate 
the problems of overcommitment and overpurchasing. They formally verify that 
the protocol solves the two observed problems, but do not consider the fairness 
problem. SLAs and negotiation protocols have also been studied in the multi¬ 
agent community. An example is the work of Kraus 11 who defines a multi-party 
negotiation protocol in which agreement is reached if all agents accept an offer. 
If the offer is rejected by at least one agent, a new offer will be negotiated. 

Another interesting application area concerns supply chain contracting 
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A supply chain consists of a series of firms involved in the production of a product 
or service with potentially complex contractual relationships. Most literature in 
this area focuses on economic aspects, like pricing strategies. An exception is the 
recent work of Pavlov and Katok in which fairness is studied from a game- 
theoretic point of view. The study of multi-party signing protocols and multi¬ 
contract protocols has only recently been identified as an interesting research 


topic in this application area 20 


3 Preliminaries 

3.1 Multi-party contract signing 

The purpose of a multi-party contract signing protocol is to allow a number of 
parties to sign a digital contract in a fair way. In this section we recall the basic 
notions pertaining to MFCS protocols. We use A to denote the set of signers 
involved in a protocol, £ to denote the contract, and T to denote the TTP. 

A signer is considered honest (cf. Definition if it faithfully executes the 
protocol specification. An MFCS protocol is said to be optimistic if its execution 
in absence of adversarial behaviour and failures and with all honest signers results 
in signed contracts for all participants without any involvement of T. Optimistic 
MFCS protocols consist of two subprotocols: the main protocol that specifies 
the exchange of promises and signatures by the signers, and the resolve protocol 
that describes the interaction between the agents and T in case of a failure in 
the main protocol. A promise made by a signer indicates the intent to sign £. 
A promise pp{m,x,Q,T) can only be generated by signer P £ A. The content 
(m, x) can be extracted from the promise and the promise can be verified by 
signer Q G A and by T. A signature Sp{m) can only be generated by P and by 
T, if T has a promise pp{m,x,Q,T). The content m can be extracted and the 
signature can be verified by anybody. Cryptographic schemes that allow for the 
above properties are digital signature schemes and private contract signatures . 

MFCS protocols must satisfy at least two security requirements, namely fair¬ 
ness and timeliness. An optimistic MFCS protocol for contract £ is said to be 
fair for an honest signer P if whenever some signer Q ^ P obtains a signature 
on £ from P, then P can obtain a signature on £ from all signers participating in 
the protocol. An optimistic MFCS protocol is said to satisfy timeliness, if each 
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signer has a recourse to stop endless waiting for expected messages. The fairness 
requirement will be the guiding principle for our investigations and timeliness 
will be implied by the communication model together with the behaviour of the 
TTP. A formal definition of fairness is given in Section |5.3[ 

A further desirable property for MFCS protocols is abuse-freeness which was 
introduced in [^. An optimistic MFCS protocol is said to be abuse-free, if it 
is impossible for any set of signers at any point in the protocol to be able to 
prove to an outside party that they have the power to terminate or successfully 
complete the contract signing. Abuse-freeness is outside the scope of this paper. 

3.2 Graphs 

Let G = {V,E) with E C V x V he a. directed acyclic graph. Let v,w G V he 
vertices. We say that v causally precedes w, denoted u ^ w, if there is a directed 
path from w to re in the graph. We write v ^ w for v < w W v = w. We extend 
causal precedence to the set ^ U A as follows. Given two edges (y,w), {v',w') € 
E, we say that {v,w) causally precedes {v',w') and write {v,w) -< if 

w :< v'. Similarly, we write v -< (y',w') if u ^ w' and {v,w) < v' ii w < v'. Let 
x,y iJ E. li X causally precedes y we also say that y causally follows x. We 
say that a set S' C G U A is causally closed if it contains all causally preceding 
vertices and edges of its elements, i.e., ^x £ S,y G V LI E : y y x => y L S. 

By in(u) C E we denote the set of edges incoming to v and by out(n) C E 
the set of edges outgoing from v. Formally, we have in(n) = {(re, v) £ E \ w £ V} 
and out(u) = {(u, w) € E \ w € V}. 

3.3 Assumptions 

The communication between signers is asynchronous and messages can get lost 
or be delayed arbitrary long. The communication channels between signers and 
the TTP T are assumed to be resilient. This means that the messages sent over 
these channels are guaranteed to be delivered eventually. In order to simplify 
our reasoning, we assume that the channels between protocol participants are 
confidential and authentic. We consider the problem of delivering confidential 
and authentic messages in a Dolev-Yao intruder model to be orthogonal to the 
present problem setting. 

We assume that £ contains the contract text along with fresh values (con¬ 
tributed by every signer) which prevent different protocol executions from gener¬ 
ating interchangeable protocol messages. Furthermore we assume that £ contains 
all information that T needs in order to reach a decision regarding the contract 
in case it is contacted by a signer. This information contains the protocol spec¬ 
ification, an identifier for T, identifiers for the signers involved in the protocol, 
and the assignment of signers to protocol roles in the protocol specification. 

We assume the existence of a designated resolution process per signer which 
coordinates the various resolution requests of the signer’s parallel threads. It will 
ensure that T is contacted at most once by the signer. After having received the 
first request from one of the signer’s threads, this resolution process will contact 
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T on behalf of the signer and store T’s reply. This reply will be forwarded to all 
of the signer’s threads whenever they request resolution. 

4 DAG Protocols 

Our DAG protocol model is a multi-party protocol model in an asynchronous 
network with a TTP and an adversary that controls a subset of parties. 

4.1 Specification and Execution Model 

A DAG protocol specification (or simply, a protocol specification) is a directed 
acyclic graph in which the vertices represent the state of a signer and the edges 
represent either a causal dependency between two states (an e-edge) or the 
sending of a message. A vertex’ outgoing edges can be executed in parallel. 
Edges labeled with exit denote that a signer contacts T. 

Definition 1. Let R be a set of roles such that T ^ R and M a set of messages. 
Let s and exit be two symbols, such that e, exit ^ M. By M®”* and Rt we denote 
the sets = ML) {e, exit} and Rt = i?U {T}, respectively. A DAG protocol 

specification is a labeled directed acyclic graph V = (V, E,r, p,, d), where 

1. {V, E) is a directed acyclic graph; 

2. r: D —>■ Rt is a labeling function assigning roles to vertices; 

3. p: E ^ edge-labeling function that satisfies 

(a) y{v,v') £ E: p{v,v') = e riv) = r{v'), 

(b) y{v,v') € E: p{v,v') = exit => r{v') = T; 

f. <5: M* M is a function associated with exit-labeled edges. 

A message edge {v, v') specifies that p{v, v') = to is to be sent from role r{v) to 
role r{v'). An e-edge {v,v') represents internal progress of role r(y) = r{v') and 
allows to specify a causal order in the role’s events. An exit edge denotes that 
a role can contact the TTP. The TTP then uses the function 5 to determine 
a reply to the requesting role, based on the sequence of messages that it has 
received. In Section exit messages and the 5 function are used to model the 
resolve protocol of the TTP. 

A B 


Fig. 1: Linear, broadcast, and the novel DAG MPCS protocols. 
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We give three examples of DAG protocols in Figure[^ represented as Message 
Sequence Charts (MSCs). The dots denote the vertices, which we group vertically 
below their corresponding role names. Vertical lines in the MSCs correspond to 
£-edges and horizontal or diagonal edges represent message edges. We mark edges 
labeled with signing messages with an “s” and we leave out the edge labels of 
promise messages. We do not display exit edges, they are implied by the MFCS 
protocol specification. A box represents the splitting of a role into two parallel 
threads, which join again at the end of the box. We revert to a traditional 
representation of labeled DAGs if it is more convenient (see, e.g.. Figure]^. 

The first protocol in Figure is a classical linear 2-party contract signing 
protocol. It consists of one round of promises followed by a round of exchanging 
signatures. The second protocol is the classical broadcast protocol for two signers. 
It consists of two rounds of promises, followed by one round of signatures. The 
third protocol is a novel DAG protocol, showing the power of in-role parallelism. 
It is derived from the broadcasting protocol by observing that its fairness does 
not depend on the causal order of the first two vertices of each of the roles. 

Let V = (V, E, r, fi, 5) be a protocol specification. The restriction of V to role 
P, denoted by Vp, is the protocol specification {Vp,Ep,rp, ^p,6p), where 

Ep = {{v, v') G E \ r{v) = P V r(n') = P} , Vp = {v,v' GV \ (n, v') G Pp} , 
rp{v) = r{v) for v G Vp, iJ-p{e) = ^(e) for e G Ep, and Sp = 6. 

The execution state of a protocol consists of the set of events, connected to 
vertices or edges, that have been executed. 

Definition 2. LetV = (V, E,r, fj,, S) be a protocol specification. A state ofV is 
a set s C V U E. The set of states ofV is denoted by Sp. The initial state ofV 
is defined as sg = 0. 

In order to give DAG protocols a semantics, we first define the transition 
relation between states of a protocol. 

Definition 3. Let V = {V, E,r, p,, S) be a protocol specification, L = {e,send, 
recv,exit} the set of transition labels, and s,s' G Sp the states of V. We say 
that V transitions with label a from state s into s', denoted by s s', iff s ^ s' 
and one of the following conditions holds 

1. a = recv and G V, such that in(n) C s and s' = sU {u}, 

2. a = send and 3m G M, e G E, such that ij,{e) = m, and s' = s U {e}, 

3. a = e and 3e = {v, v') G E, such that ii{e) = e, v G s and s' = sU {e}, 

4- C( = exit and 3e G E, such that fi{e) = exit and s' = sU {e}. 

In Definition!^ receive events are represented by vertices, all other events by 
edges. By the first condition, a receive event can only occur if all events assigned 
to the incoming edges have occurred. In contrast, the sending of messages (second 
condition) can take place at any time. The third condition states that an e-edge 
can be executed if the event on which it causally depends has been executed. 
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Finally, like send events, an exit event can occur at any time. Every event may 
occur at most once, however. This is ensured by the condition s' 7 ^ s. 

The transitions model all possible behavior of the system. The behavior of 
honest agents in the system will be restricted as detailed in the following sub¬ 
section. We denote sequences by [oq, ui,..., a/] and the concatenation of two 
sequences cti , <72 by ui • CT 2 . 


Definition 4. Let V = {V, E, r, /i, S) be a protocol specification and L = {e, send, 
recv,exit} a set of labels. The semantics of V is the labeled transition system 
{S-p, L,-^,so), which is a graph consisting of vertices Sp and edges with start 
state So- An execution ofP is a finite sequence p = [sq, oi, si,..., a;, s;], / > 0, 
such that Vi € {0,...,? — 1}: Si 5i-i-i. The set of all executions of V is 
denoted by Exe{V). 


If p = [sq, «!, Si,..., Oi, Si] is an execution of V and Vp is the restriction to role 
P, then the restricted execution pp is obtained inductively as follows. 

1. [s]p = [s n {Vp U Ep)] for a state s. 

[s]p • crp 


if [sjp = [s'jp 
[s]p • [a] • ([s'] • cr)p else. 


2 . ([s,a, s'] • cr)p = 

Commutativity of restriction and execution is asserted by the following lemma. 


Lemma 1. Let V be a protocol specification and Vp the restriction to role P. 
Then every restricted execution pp is an execution ofVp. 


4.2 Adversary Model 

An honest agent executes the protocol specification faithfully. The following 
definition specifies what this entails for a DAG protocol: the agent waits for the 
reception of all causally preceding messages before sending causally following 
messages, does not execute an exit edge attached to a vertex v if all messages at 
V have been received and never executes more than one exit edge (which in the 
context of MFCS protocols corresponds to contacting the TTP at most once), 
and does not send any messages which causally follow a vertex from which the 
exit edge was executed. 

Definition 5. Let V be a DAG protocol specification. An agent P is honest in 
an execution p of V, if all states s of the restricted execution pp satisfy the 
following conditions: 

1. s contains at most one exit edge. 

2. If s contains no exit edge, then s is causally closed. 

3. If s contains an exit edge e = {v,w), p,{e) = exit, then v ^ s and s \ {e} is 
causally closed. 



A dishonest agent is only limited by the execution model. Thus a dishonest 
agent can send its messages at any time and in any order, regardless of the causal 
precedence given in the protocol specification. A dishonest agent can execute 
multiple exit edges and may send and receive messages causally following an 
exit edge. Dishonest agents are controlled by a single adversary, their knowledge 
is shared with the adversary. The adversary can delay or block messages sent 
from one agent to another, but the adversary cannot prevent messages between 
agents and the TTP from being delivered eventually. All communication channels 
are authentic and confidential. 

4.3 Communication Complexity 

To define measures for expressing the communication complexity of DAG pro¬ 
tocols, we introduce the notion of closed executions. A closed execution is a 
complete execution of the protocol by honest agents. 

Definition 6. LetV = (V, E,r, be a protocol specification and (S'p,L,'^,sq) 
he the semantics for V. Given p = [sq, oi, si,..., o;, s;] € Exe('P), we say that p 
is closed if the following three conditions are satisfied 

1. Si is causally closed, for every 0 < i < I, 

2. at exit, for every 1 < i < I, 

3. $a G L \ {exit} , s G S-p : p • [a, s] G Exe(7^). 

The set of all closed executions ofV is denoted by Exec(’P). 

Let p = [so, ai, si,..., ai, si] be an execution of a protocol V. By \p\send we 
denote the number of labels ai, for 1 <i < I, such that ai = send. 

Lemma 2. For any two closed executions p and p' of a protocol V we have 
|p|send — \p I send- 

The proof is given in the appendix. The first measure expressing the complexity 
of a protocol V is called message complexity. It counts the overall number of 
messages that have been sent in a closed execution of a protocol V. 

Definition 7. Let V be a protocol specification and let p G Exec(‘P). The mes¬ 
sage complexity ofV, denoted by MCp, is defined as MCp = Ipisend- 

Lemma guarantees that the message complexity of a protocol is well defined. 

The second complexity measure is called parallel complexity. It represents 
the minimal time of a closed execution assuming that all events which can be 
executed in parallel are executed in parallel. The parallel complexity of a protocol 
is defined as the length of a maximal chain of causally related send edges. 

Definition 8. The parallel complexity of a protocol V, denoted by PCp, is 
defined as 

PCp — max dfg,, g2 ... — send A . Ci ^ Cj-i-i. 
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Example 1. The message complexity of the first protocol in Figure is 4, which 
is known to be optimal for two signers 19 . Its parallel complexity is 4, too. The 


message complexity of the other two protocols is 6, but their parallel complexity 
is 3, which is optimal for broadcasting protocols with two signers [^. 


5 DAG MFCS protocols 

We now define a class of optimistic MFCS protocols in the DAG protocol model. 


5.1 Main Protocol 

The key requirements we want our DAG MFCS protocol specification to satisfy, 
stated formally in Definitionare as follows. The messages exchanged between 
signers in the protocol are of two types, promises, denoted by p(), and signatures, 
denoted by iS(). Every promise contains information about the vertex from which 
it is sent. This is done by concatenating the contract £ with the vertex v the 
promise originates from and is denoted by (£, u). The signers can contact the 
TTF at any time. This is modeled with exit edges: Every vertex v G V such 
that r{v) G A (the set of all signers) is adjacent to a unique vertex ut G V, 
r(vT) = T. The communication with T is represented by <5. The set of vertices 
with outgoing signature messages is denoted by SigSet. 

Definition 9. Let V = {V, E,r, pi,S) be a protocol specification, A C R he a 
finite set of signers, € he a contract, and SigSet CV.V is called a DAG MFGS 
protocol specification for €, 

1. 3! ut G F : r(uT) = T A Vu G F \ {ut} : (u, ut) G E, 

2. Vu, w G V : V < w ^ {v,w) G Ey 3u GV : v < u < w /\ r{u) G {r{v),r(w)}, 

3. y{v,w) G E : pl{v,w) = 

e, ifr{v) = r{w), 

exit, ifw = VT, 

‘Sr(v)(^)> z/u G SigSet A r{v) ^ r(w) ^ T, 
Pr(v)i^,v,r{w),T), else. 

4- S : M* -y { “a6ort”, (5p(£))pg^}, where {Sp{€))p^A denotes a list of sig¬ 
natures on £, one by each signer. 

We write SigSet{V) for the largest subset of SigSet which satisfies 
V G SigSetfiP) ^ 3w G F : {v,w) G E,^{v,w) G M. 

The set SigSetlfP) is called the signing set. 
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(a) Skeletal graph. 



Fig. 2: Skeletal and full representation of a DAG MFCS protocol. 


We represent DAG MPGS protocols as skeletal graphs as shown in Figure [2a| 
The full graph, shown in Figure [2bl is obtained from the skeletal graph by adding 
all edges required by condition of Definition and extending /i according to 
condition The e edges are dashed in the graphs. The shaded vertices in the 
graphs indicate the vertices that are in the signing set. We define the knowledge 
K{v) of a vertex v to be the set of message edges causally preceding v, and 
incoming to a vertex of the same role. The knowledge of a vertex represents the 
state right after its receive event. 

Kiv) = {(Wju') G E I g,{w,v') € M,v' < v,r{v') = r(u)} 

We define the pre-knowledge K^{v) of a vertex v to be K^(v) = {{w,v') G 
K{v) I u' ^ u}. The pre-knowledge represents the state just before the vertex’ 
receive event has taken place. We extend both definitions to sets S CV: 

K{S) = y K{v) and K^{S) = y K^{v). 

vGS vGS 

We define the initial set of denoted InitSet{V) to be the set of vertices of 
the protocol specification for which the pre-knowledge of the same role does not 
contain an incoming edge by every other role. Formally, 

V G InitSetifP) {r(w) G A \ {w,v') G K^{v)} U {r(z;)} ^ A 
We write 3! for unique existential quantification. 
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The end set of V, denoted EndSet{V), is the set of vertices of the protocol 
specihcation at which the corresponding signer possesses all signatures. 

V G EndSetiV) {r(w) G A \ (w, v') G K{v), w G SigSet{V)} U {r(z;)} = A 


5.2 Resolve Protocol 


Let V = (P, E, r, fi, S) be a DAG MFCS protocol specification. The resolve 
protocol is a two-message protocol between a signer and the TTP T, initi¬ 
ated by the signer. The communication channels for this protocol are assumed 
to be resilient, conhdential, and authentic. T is assumed to respond imme¬ 
diately to the signer. This is modeled in V via an exit edge from a vertex 
V G V \ {'Ct} to the unique vertex vt G V. T’s response is given by the S 
function, S : M* -G {“abort”, (5p(£))pgA}- If mi,...,TO„ is the sequence of 
messages sent by the signers to T, then S{mi,... ,m„) is T’s response for the 
last signer in the sequence. The function will be stated formally in Definition [TOl 
We denote the resolve protocol in the following by Res{<t,v). The signer 
initiating Res{€,v) is r{v). He sends the list of messages assigned to the ver¬ 
tices in his pre-knowledge K^{v), prepended by (£, z;, r(z;), T), to T. This 
demonstrates that r{v) has executed all receive events causally preceding v. We 
denote r(z;)’s message for T by Pt,: 

Pv = {pr(v){*^,V,r{v),i:),{^l{w,v'))(y,y)^K^{v)) (1) 


The promise pr.(j;)(2i, zz, r(p), T), which is the first element of p„, is used by T 
to extract the contract £, to learn at which step in the protocol r{v) claims to 
be, and to create a signature on behalf of r(v) when necessary. All messages re¬ 
ceived from the signers are stored. T performs a deterministic decision procedure, 
shown in Algorithm [l] on the received message and existing stored messages and 
immediately sends back “abort” or the list of signatures {Sp{<L))p^a- 


Our decision procedure is based on 
sists of a message m received by the T 


The input to the algorithm con- 


from a signer and state information 
which is maintained by T. T extracts the contract and the DAG MPGS proto¬ 
col specification from m. For each contract £, T maintains the following state 
information. A list Evidence^ of all messages received from signers, a set /c of 
vertices the signers contacted T from, a set Dishonestir of signers considered to 
be dishonest, and the last decision made decision^. If T has not been contacted 
by any signer regarding contract £, then decision^ = “abort”. Else, decision(r is 
equal to “abort” or the list (5Q(£)Qg^) of signatures on £, one by each signer. 

T verifies that the request is legitimate in that the received message m is 
valid and the requesting signer P is not already considered to be dishonest. If 
these preliminary checks pass, the message is appended to Evidencetr. This is 
described in Algorithm in lines through The main part of the algorithm, 
starting at line |I0[ concerns the detection of signers who have continued the main 
protocol execution after executing the resolve protocol. If P has not received a 
promise from every other signer in the protocol (i.e. the if clause in line 10 is not 
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satisfied), then T sends back the last decision made (line[T7|). This decision is an 
“abort” token unless T has been contacted before and decided to send back a 
signed contract. If P has received a promise from every other signer, T computes 
the set of dishonest signers (lines 11 through 13) by adding to it every signer 
which has carried out the resolve protocol, but can be seen to have continued 
the protocol execution (line 12) based on the evidence the TTP has collected. 
If P is the only honest signer that has contacted T until this point in time, the 
decision is made to henceforth return a signed contract. 


Algorithm 1: TTP decision procedure Sq 
input : m, r, decisionn:, Evidence^, hr, Dishonest 
output: r, decision^, Evidence^, 7c, Dishonesty 


1 if m 7^ (pp(£, V, P, T), list) then 

2 r = “abort”; 

3 return output; 


4 

5 

6 
7 


if P G Dishonesty V Vw G P : m 7 ^ V 3w' G ly : P = r{w') then 
Dishonesty := Dishonesty U {P}; 
r = “abort”; 

return output; 


8 ly ;— ly U {r:}; 

9 Evidencey ■.= [Evidencey,m)\ 
10 if II ^ InitSet{P) then 


11 

12 

13 

14 

15 


for w € ly do 

if w ^ (in', x) G (ly) A r{w') = r{w) then 
Dishonesty := Dishonesty U {r(ty)}; 


if Vw G ly : r{w) ^ Dishonesty 
decisiony := {Sq{€))q(^a', 


r-(ui) = P then 


16 r = decisiony, 

17 return output; 


Definition 10. Let V = {V,E,r,fi,6) be a DAG MPCS protoeol speeifieation 
and So the TTP decision procedure from Algorithm [7| Then 5 : M* —>■ M is 
defined for mi,..., m„ G M by 

d{mi, ... ,m„) = 7ri((5 i(mi,... ,mn)), 

where tti is the projection to the first eoordinate and is defined inductively by 

(5i() = {“abort”, “abort”,%,%,%) 

5i{mi, ... ,m„) = 5o{mn,Si{mi, ... ,m„_i)). 

Thus the 5 function represents the response of the TTP in the Res{€,v) 
protocol for all executions of V. 
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5.3 Fairness 


We say that a DAG MFCS protocol execution is fair for signer P if one of the 
following three conditions is true: (i) No signer has received a signature of P; (ii) 

P has received signatures of all other signers; (iii) P has not received an “abort” 
token from the TTP. The last condition allows an execution to be fair as long 
as there is a possibility for the signer to receive signatures of all other signers. 

The key problem in formalizing these conditions is to capture under which 
circumstances the TTP responds with an “abort” token to a request by a signer. 
The TTP’s response is dependent on the decision procedure which in turn de¬ 
pends on the order in which the TTP is contacted by the signers. Since the deci¬ 
sion procedure is deterministic, it follows that the 6 function can be determined 
for every execution p = [sq, Q?!, si,..., s„] by considering the pre-knowledge of 
the vertices from which the exit transitions are taken. Abusing notation, we will 
write 6{p) instead of S{mi, ..., m^) where rrii are the messages sent to the TTP 
at the z-th exit transition in the execution. 

Definition 11. Let T be the TTP. An execution p = [sq, oi,..., s„] ofV is fair 
for signer P if one of the following conditions is satisfied: 

1. P has not sent a signature and no signer has received signatures from T. 

5{p) = “abort” Ay{v,w) € s„ : r(v) = P,r(w) 7 ^ P v ^ SigSet{V) 

2. P has received signatures from all other signers. 

3z; e s n EndSetifP) : r{v) = P 

3. P has not received an “abort” token from T. 

3(v, w) G s : r{v) = PAr{w) = T ^ ■ ■ ■ ,Sk, exit, SfcU{(z;, zc)}]) “abort” 

If none of these conditions are satisfied, the execution is unfair for P. 

Definition 12. An MPCS protocol specification V is said to be fair, if every 
execution p of V is fair for all signers that are honest in p. 

5.4 Sufficient and necessary conditions 

By the TTP decision procedure, T returns an “abort” token if contacted from a 
vertex v G InitSet{P). Thus a necessary condition for fairness is that an honest 
signer executes all steps of the initial set causally before all steps of the signing 
set that are not in the end set: 

Vz; € InitSet{V),w G SigSet{V) \ EndSet{V) : r{v) = r{w) v <w (2) 

If P contacts T from a vertex v ^ InitSet{V), then T responds with an “abort” 
token if it has already issued an “abort” token to another signer who is not in the 
set Dishonesty- This condition can be exploited by a group of dishonest signers 
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in an abort chaining attack 16 . The following definition states the requirements 
for a successful abort chaining attack. For ease of reading, we define the predicate 
hon(u,/). The predicate is true if there is no evidence (pre-knowledge) at the 
vertices in I that the signer r{v) has sent a message at or causally after v: 


hon(r), J) = ^3(a;, y) G K^{I) : v ^ {x,y) A r{v) = r{x) 


This is precisely the criterion used by T to verify honesty in Algorithm]^ line 12 


Definition 13. Let € be a contract and I < |A|. A sequence (vi,...,vi \ s) 
over V is called an abort-chaining sequence (AC sequence) for V if the following 
conditions hold: 


1. Signer r{vi) receives an abort token: Vi G InitSet{V) 

2. No signer contacts T more than once: 

3. The present and previous signer to contact T are considered honest by T; 

\/i <l : hon(ui, {ui,..., uj) A hon(ui_i, {ui,... ,?;*}) 

4 . The last signer to contact T has not previously received all signatures: 

\/v ^ vi : r(v) = r(vi) => v ^ EndSet{V) 

5. The last signer to eontact T has sent a signature before contacting T or in 

a parallel thread: 

s G SigSetifP) \ EndSet{V) : r(s) = r{vi) Avi s 

The AC sequence represents the order in which signers execute the resolve 
protocol with T. A vertex Vi in the sequence implies an exit transition via the 
edge {vi, vt) in the protocol execution. An abort chaining attack must start at a 
step in which T has no choice but to respond with an abort token due to lack of 
information. Condition covers this. Each signer may run the resolve protocol 
at most once. This is covered by Conditionj^ To ensure that T continues to issue 
“abort” tokens, Condition requires that there must always be a signer which 
according to T’s evidence has not continued protocol execution after contacting 
T. To complete an abort chaining attack, there needs to be a signer which has 
issued a signature (Condition]^, but has not received a signature (Conditions 
and and will not receive a signed contract from T because there is an honest 
signer (by Condition]^ which has received an “abort” token. 

It is not surprising (but nevertheless proven in the appendix) that a protocol 
with an AC sequence is unfair. However, the converse is true, too. 

Theorem 1. Let V be a DAG MFCS protocol. Then V is fair if and only if it 
has no AC sequences. 

The proof of this and the following theorems is given in the appendix. 
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(a) A three-party MFCS protocol from a signing sequence 



(c) Adding an e edge. 

Fig. 3: Skeletal graphs of fair protocols (a, c) and an unfair protocol (b). 


5.5 Fairness criteria 


Theorem reduces the verification of fairness from analyzing all executions to 
verifying that there is no AC-sequence (Definition 13). This, however, is still 
difficult to verify in general. The following two results are tools to quickly assess 
fairness of DAG MFCS protocols. The Hrst is an unfairness criterion and the 
second is a fairness criterion for a large class of DAG MPGS protocols. 

The following theorem states that in a fair DAG MFCS protocol, the union 
of paths from the initial set to every vertex v G SigSet(V) must contain all 
permutations of all signers (other than r{v)) as subsequences. In the class of 
linear MFGS protocols, considered in 10 , this criterion was both necessary and 


sufficient. We show in Example below that this criterion is not sufficient for 
fairness of DAG MFCS protocols. 

For I CV,v gV, we denote by path(J, v) = {(ui,..., Vk) G V* \ vi G I,Vk = 
"yj Vi<i<fc : {vi, Wi+i) G E} the set of all directed paths from a vertex in / to v. If 
p = (ui,..., Vk) is a sequence of vertices, we denote by r{p) = (r(ui),..., r{vk)) 
the corresponding sequence of signers. The sequences of signers corresponding 
to the paths from / to n is denoted by seq{I,v) = {r{p) G A* \ p G path(/,r!)}. 


Theorem 2. Let k = |A|. Let V be an optimistie fair DAG MFCS protoeol, 

I = {v G LnitSetifP) \ (v ^ w A r(v) = r(w)) ^ w ^ InitSet{V)} . 

If V G SigSet(V), then for every permutation (Pi, ..., Pk-i) of signers in A\ 
{r(u)}, there exists a sequence in seq(/, u) which contains (Pi,..., Pfc_i) as a 
(not necessarily consecutive) subsequence. 

The converse of the theorem is not true as the following example shows. In 
particular, this example demonstrates that the addition of a vertex to a fair 
DAG MPGS protocol does not necessarily preserve fairness. 
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Example 2. The protocol in Figure[^is fair by the results of 10 . By Theorem]^ 
for every vertex v S SigSet{V) every permutation of signers in A \ {P} occurs 
as a subsequence of a path in seq(/,u). The protocol in Figure]^ is obtained 
by adding the vertex Bq as a parallel thread of signer B. Thus the permutation 
property on the set of paths is preserved, yet the protocol is not fair: An AC 
sequence is (Bg, Cs, A 4 IA 3 ). The vertex Bq is in InitSet{V), the evidence pre¬ 
sented to the TTP at C 3 includes the vertices causally preceding C 2 , thus B 
is considered to be honest. The evidence presented by signer A at A 4 are the 
vertices causally preceding A 3 proving that B is dishonest, but C is honest. Thus 
A has sent a signature at A 3 but will not receive signatures from B and C. 


If a protocol has no in-role parallelism, then the converse of Theorem is 
true. Thus we have a simple criterion for the fairness of such protocols. 

Theorem 3. Let V he an optimistic DAG MFCS protocol without in-role par¬ 
allelism. Let 


I = {v € LnitSet{V) | (u ^ w A r{v) = r{w)) ^ w ^ InitSet{V)} . 

If all paths from I to v € SigSet{V) contain all permutations of A \ {r(u)} then 
V is fair for r{v). 

Example 3. By adding a causal edge between vertex Bq and vertex B 2 of the 
protocol in Figure |3bl as shown in Figure [3^ we obtain again a fair protocol. 


6 Protocols 

In this section we illustrate the theory and results obtained in the preceding 
sections by proving optimality results and constructing a variety of protocols. 


6.1 Minimal complexity 

We prove lower bounds for the two complexity measures defined in our model, 
viz. parallel and message complexity. 

Theorem 4. The minimal parallel complexity for an optimistic fair DAG MFCS 
protocol is n 1 , where n is the number of signers in the protocol. 

Froof. By Theorem every permutation of signers in the protocol must occur 
as a subsequence in the set of paths from a causally last vertex in the initial set 
to a vertex in the signing set. Since a last vertex v in the initial set must have a 
non-empty knowledge K(v), there must be a message edge causally preceding v. 
There are at least n — 1 edges in the path between the vertices associated with 
the n signers in a permutation and there is at least one message edge outgoing 
from a vertex in the signing set. Thus a minimal length path for such a protocol 
must contain n -|- 1 edges. 
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Fig. 4: A minimal 4-party fair broadcasting protocol. 


The minimal parallel complexity is attained by the broadcast protocols of 
Baum-Waidner and Waidner [^. An example is shown in Figure]^ 

Theorem 5. The minimal message complexity for an optimistic fair DAG MFCS 
protocol is X{n) -I- 2n — 3, where n is the number of signers in the protocol and 
A(n) is the length of the shortest sequence which contains all permutations of 
elements of an n-element set as subsequences. 

The minimal message complexities for 2 < n < 8 are + 1. The minimal 
message complexities for n > 10 are smaller or equal to . 

Note that while broadcasting protocols have a linear parallel complexity, 
they have a cubic message complexity, since in each of the n -I- 1 rounds each 
of the n signers sends a message to every other signer. Linear protocols on the 
other hand have quadratic minimal message and parallel complexities. In the 
following we demonstrate that there are DAG protocols which attain a linear 
parallel complexity while maintaining a quadratic message complexity. 


6.2 Protocol constructions 


Single contractor, multiple subcontractors. A motivation for fair MFCS protocols 
is a scenario where a single entity, here referred to as a contractor. 


10 


given m 

would like to sign k contracts with k independent companies, in the following 
referred to as subcontractors. The contractor has an interest in either having all 
contracts signed or to not be bound by any of the contracts. The subcontrac¬ 
tors have no contractual obligations towards each other. It would therefore be 
advantageous if there is no need for the subcontractors to directly communicate 
with each other. 


The solutions proposed in 10 are linear protocols. Their message and parallel 


complexities are thus quadratic. Linear protocols can satisfy the requirement 
that subcontractors do not directly communicate with each other only by greatly 
increasing the message and parallel complexities. 

The protocol we propose here is a DAG, its message complexity is 2(n -I- 
l)(n— 1) and its parallel complexity is 2n-|-2 for n signers. It therefore combines 


18 








(a) A single contractor and (b) Two joint subcontractors, 

three subcontractors. 

Fig. 5: Two examples of novel, fair DAG MFCS protocols. 


the low parallel complexity typically attained by broadcasting protocols with the 
low message complexity of linear protocols. Additionally, the protocol proposed 
does not require any direct communication between subcontractors. 

Figure [5a| shows a single contractor with three subcontractors. The protocol 
can be subdivided into five rounds, one round consisting of the subcontractors 
sending a message to the contractor followed by the contractor sending a message 
to the subcontractors. In the first four rounds promises are sent, in the final round 
signatures are sent. The protocol can be easily generalized to more than three 
subcontractors. For every subcontractor added, one extra round of promises 
needs to be included in the protocol specification. 

The protocol is fair by Theorem]^ The MSC shown in Figurej^resembles the 
skeletal graph from which it was built. The message contents can be derived by 
computing the full graph according to Condition of Definition The result is 
as follows. In each round of the protocol, each of the subcontractors sends to the 
contractor a promise for the contractor and for each of the other subcontractors. 
The contractor then sends to each of the subcontractors all of the promises 
received and his own promise. The final round is performed in the same manner, 
except that promises are replaced by signatures. 


Two contractors with joint subcontractors. Figure |5b| shows a protocol where 
two contractors want to sign a contract involving two subcontractors. The sub¬ 
contractors are independent of each other. 

After the initial step, where all signers send a promise to the first contractor 
A, there are three protocol rounds, one round consisting of the contractor A 
sending promises to the two subcontractors L and R in parallel which in turn 
send promises to the second contractor B. A new round is started with the second 
contractor sending the promises received with his own promise to contractor A. 
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This protocol, too, can be generalized to several independent subcontractors. 
For every subcontractor added, one extra protocol round needs to be included in 
the protocol specification and each protocol step of the subcontractors executed 
analogously. 
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Parallelism within a role. Figure shows an example of a subcontracting pro¬ 
tocol with in-role parallelism for the contractor role. The contractor initiates 
the protocol. In the indicated parallel phase, the contractor may immediately 
forward a promise by one of the subcontractors along with his own promise to 
the other subcontractor without waiting for the latter subcontractor’s promise. 
The same is true in the signing phase. The fairness property for this protocol 
has been verified with a tool (described in Appendix which tested fairness 
for each signer in all possible executions. 


7 Conclusion 

We have identified fair subcontracting as a challenging new problem in the area 
of multi-party contract signing. We have made first steps towards solving this 
problem by introducing DAG MFCS protocols and extending existing fairness 
results from linear protocols to DAG protocols. For three typical subcontracting 
configurations we propose novel DAG MFCS protocols that perform well in 
terms of message complexity and parallel complexity. Fairness of our protocol 
schemes follows directly from our theoretical results and we have verified it for 
concrete protocols with our automatic tool. 

There are a number of open research questions related to fair subcontracting 
that we haven’t addressed. We mention two. The first concerns the implemen¬ 
tation of multi-contracts. In our current approach we consider a single abstract 
contract shared by all parties. However, in practice such a contract may con¬ 
sist of a number of subcontracts that are accessible to the relevant signers only. 
How to cryptographically construct such contracts and what information these 
contracts should share is not evident. Second, a step needs to be made towards 
putting our results into practice. Given the application domains identified in 
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this paper, we must identify the relevant signing scenarios and topical boundary 
conditions in order to develop dedicated protocols for each application area. 
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A DAG MFCS Verification Tool 


We have developed a prototype tool in Python 2 that model checks a skeletal 
protocol graph for the fairness property (Definition |11[ ) in the execution model 
defined in Section 4.1 The tool, along with specifications for the protocols pre¬ 
sented in this paper, is available at http: //people. inf . ethz. ch/rsasa/mpcs, 

The tool’s verification procedure works directly on the execution model and 
the TTP decision procedure (Algorithm . It therefore provides evidence for 
the correctness of the protocols shown in Section]^ independent of the fairness 
proofs given in this paper. 

The verification is performed as follows. For each specified signer, the tool 
analyzes a set of executions in which the signer is honest and all other signers 
dishonest. The tool does not analyze all possible executions. It starts the analysis 
from the state where all promises of dishonest signers have been sent, but no 
protocol step has been performed by the honest signer. By analyzing this type of 
executions only, we do not miss any attacks, because the honest signers’ fairness 
is not invalidated until he has sent a signature. In this reduced set of executions, 
the dishonest signers retain the possibility to contact the TTP from any of their 
vertices and all these possibilities are explored by the tool. 

We note that the same type of verification could be achieved with an off- 
the-shelf model checker and we would expect better performance in such a case. 
However, the code complexity and room for error when encoding a given protocol 
and TTP decision procedure in a model checker’s input language is comparable 
to the code complexity of this self-contained tool. 


B Technical Details and Proofs 

B.l Technical Details 

Parallelism within a role The MPCS protocols designed in this work allow 
for parallelism during the execution of the protocol. The specification language 
allows even for parallel threads to occur within a signer role. This allows us 
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to model the case where a signer role represents multiple branches of the same 
entity. A signature issued by any branch represents the signature of the entire 
entity. We expect that the signing processes across branches are not easily syn- 
chronizeable with each other. Such parallelism can be implemented in multiple 
ways. We discuss the various options and explain the choices made for this paper. 

The first decision to be made is whether parallel threads of a signer role 
should be assumed to have shared knowledge. In this paper, we choose the weaker 
assumption: memory for a signer’s parallel threads is local to the threads. This is 
in accordance with our expectation that parallel-threads are not easily synchro- 
nizeable and allows us, for instance, to specify and analyze protocols in which 
representatives of a signing entity can independently carry out parallel protocol 
steps without the need to communicate and synchronize their combined knowl¬ 
edge. Causal dependence between two actions of a signer is explicitly indicated 
in the protocol specification. 

This design decision leads to three options for handling protocol failures. 

1. All threads of a signer immediately synchronize and stop executing whenever 
any of the threads intends to issue a resolve request to the TTP. A designated 
resolution process per signer will be required to continuously schedule all 
threads and take care of the interaction with the TTP. 

2. Threads of a signer contact the signer’s designated resolution process only 
when they intend to issue a resolve request. The resolution process will take 
of contacting the TTP (only once per signer) and distributing the TTP’s 
reply upon request of the threads. 

3. Threads of a signer are considered fully independent. A signer’s threads are 
not orchestrated. The TTP may take into account that two requests can 
originate from the same signer, but from different (causally not related) 
threads. 

In this paper we adopt the second option, which keeps the middle between 
the fully synchronized and fully desynchronized model. This will on the one 
hand allow for independent parallel execution of the threads and on the other 
hand minimize the impact of the signer’s threading on the TTP’s logic. From an 
abstract point of view, one could even argue that the second and third option 
are equivalent if we consider the signer’s designated resolution processes just as 
part of a distributed TTP. We assume that the communication between a thread 
and the designated resolution process is resilient. 

The class of DAG MFCS protocols The class of DAG MPCS protocols 
defined in Section is restricted by condition of Definition It requires that 
every signer P sends a message to all subsequent, causally following signers 
occurring before signer P’s next step. While there are fair DAG MPGS protocols 
which do not belong to this restricted class, such protocols are not going to have 
a lower communication complexity. The reason for this is that each message 
received by a signer serves as evidence for the TTP that the sender has executed 
the protocol up to a certain step. Skipping such a message thus lengthens the 
protocol, because the evidence is available only at a later vertex. 
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Furthermore, the restriction simplifies the reasoning about fairness in that 
causal precedence v < w between vertices v, w is enough to guarantee that 
there is a message sent from signer r(v) to signer r(w) at some point between 
the execution of v and the execution of w. Finally, it also permits one to design, 
characterize, and represent protocols using skeletal graphs rather than full graphs 
as displayed in Figure 

B.2 Proofs 

The set maxset(5') = {u S 5 | Vw € V : v ^ w ^ w ^ S} is the set of vertices 
in S which do not have any causally following vertices in S and we will refer 
to it as the set of maximal vertices of S. Similarly, minset(5') = {u S S' | Vw € 
V : w ^ V ^ w ^ Sj is the set of vertices in S which do not have any causally 
preceding vertices in S and will be referred to as the set of minimal vertices of 
S. 

Theorem. If there exists an AC sequence for a DAG MFCS protocol, then the 
protocol is not fair. 

Proof. Conditions through imply that the TTP decision procedure leads to 
an “abort” token for the last signer to contact the TTP. The remaining two 
conditions imply that the last signer has sent a signature, but not received a 
signature. 

To complete the proof, we need to construct an execution in which the exit 
transitions occur in the order indicated by the AC sequence and signer r{vi) is 
honest. Let {vi,... ,vi \ v) be an AC sequence. For each vertex Vi in the AC 
sequence, let Vi be the causal closure of {v,Vi} in V LI E. Note that the union 
of causally closed sets is causally closed. Let pi be the sequence of transitions 

■^ ... ^ Uj<i without exit transitions and such that all states are 
causally closed. 

For 1 < z < / and pi = [so,ai, ■ • • ,Sfc], let p- = [sq U{(ui, ut), ■ • •, (ui_i,UT)}, 
oi,..., Sfc U {(z;i,ut), • ■ •, ("yi-iifT)}, exit]. That is, p' is equal to pt, except for 
an additional exit transition s s U {(ui, ut)} and additional exit edges in all 
states which stem from exit transitions added to p'l,... ,Pi_i- Finally, for p[ = 
[so,ai, ■ ■ ■, Sfc, exit], let p" = [so\{u;} ,ai,..., Sfc\{u;} , exit, SkL{{vi,VT)}\{vi}]. 

Then p = p'^ - ■ ■ p\_i • p'{ is an execution in which signer r(vi) is honest, since 
the restricted execution is by construction causally closed in all states before the 
last state and the single exit transition occurs in the last transition. 

Unfairness for r(vi) follows since r(vi) has sent a signature at v, not received 
all signatures from the other signers and received an “abort” from the TTP. 

Proof (of Lemma^. Let p = [sq,< ai, Si, • ■ •,a/, s/] be an execution of V. It is 
sufficient to show that if p is closed, it contains all send events exactly once. 
According to Definition we know that for every zS{0,...,Z — l}we have 
Si -14'^ Si+i Si Si+ 1 . This implies that, in any execution, each step 

of the protocol (in particular every send event) can be executed at most once. 
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Furthermore, if p is closed, the third condition from Definition implies that, 
every send event has already occurred in p. Otherwise, there exists e G E such 
that p{e) = send and p can be extended to p ■ [send,si U {e}] G Exe(7^), which 
contradicts the closedness of p. 

Lemma 3. Let V he an optimistic fair DAG MFCS protocol. Let v,v',v" be 
pairwise distinct vertices assigned to the same signer such that 

1. V € SigSet{V) \ EndSet{V), 

2 . v" is a maximal common ancestor ofv and v', i.e., v" < w < v,v' ^ r{w) 
r(v), and 

3. for every signer P ^ r{v) there exists a vertex w >- v" with r{w) = P. 

Then for every permutation {Pi ,..., Pk-i) of signers in A \ {^(u)}, there ex¬ 
ists a sequence in seq{I,v") which contains {Pi,... ,Pk-i) as a (not necessarily 
consecutive) subsequence. 

Proof. Suppose there exists a permutation {Pi,..., Pk-i) of signers in A\ {r(z;)} 
which is not a subsequence of any sequence in seq(/, u"). We construct an AC 
sequence as follows. Let Vi be the set of all vertices of Pi in I. For i > 1, let Vi 
be the minset of all vertices of Pi which causally follow a vertex of Vi-i, i.e. Vi = 
minset({r(; G V \ r{w) = Pi A 3w' G Vi-i : w' < w}). Since for every signer there 
exists a vertex which causally follows v”, it follows that for some j, there exists 
a vertex vj G Vj with u" ^ Vj. (Else we have contradiction to the assumption 
that {Pi,..., Pk-i) is a missing permutation in seq(J, u").) Thus we obtain a 
sequence {vi,... ,Vj,w\v), where v" < w ^ v', r{w) = r{v), which is an AC 
sequence. 

Proof (of Theorem^. It suffices to verify the statement for a subset of all 
vertices in SigSetifP) by the following two facts: Fact 1: Let v G SigSet{V) 
be a causally earliest vertex of a signer from which a signature is sent, i.e. 
Vw G SigSet{V) : w A v ^ r{w) r{v). If seq{I,v) contains all permutations 
of signers in A \ {r(u)}, then seq(/, w) contains all such permutations of signers 
for all u> u with r{w) = r{v). Fact 2: If u G SigSet{V) such that for every 
signer P G A \ {r(u)} there is a vertex w A v for which seq{L,w) contains all 
permutations of signers in A \ {r(w)}, then seq(/,z;) contains all permutations 
of signers in A \ {r(u)}. 

Thus, we may assume that v G SigSet{V) is a causally earliest vertex of 
a signer from which a signature is sent (by Fact 1) and that v 4 SiqSet{P) \ 
EndSet{V) (by Fact 2). 

Since u is a causally earliest vertex of a signer from which a signature is 
sent, it follows by the fact that the protocol is optimistic that for every signer 
other than r{v) there exists a vertex which causally follows v or that there exists 
another vertex v" of signer r{v) from which a signature is sent such that v" v 
and V :^v". We consider these two cases separately. 

1. For every signer other than r{v), there exists a vertex which causally follows 

V. 


25 


We split this case into two separate subcases depending on whether there 
exists a vertex v' of signer r{v) which causally follows v. 

(a) 3v' >- V : r{v') = r{v). Let (Pi,..., Pk-i) be a permutation of signers in 
>l\{r(z))} and suppose towards a contradiction that the permutation does 
not appear as a subsequence of any sequence in seq(I,v). We construct 
an AC sequence as follows. Let Vi be the set of all vertices of Pi in I. 
For z > 1, let Vi be the minset of all vertices of Pi which causally follow 
a vertex of Fi_i, i.e. V^i = minset({r(; G V \ r{w) = Pi A 3w' G V^_i : 
w' -< ui}). 

Since for every signer there exists a vertex which causally follows v, it fol¬ 
lows that for some j there exists a vertex Vj G Vj with v ^ Vj, else we have 
contradiction to the assumption that the permutation (Pi,..., Pk-i) is 
not a subsequence of any sequence in seq(/, v). 

By construction, there exists a vertex in V^-i which causally precedes Vj 
and thus we obtain a sequence (ui,..., Vj,v'\v) which is an AC sequence. 

(b) -i3v' >- V : r{v') = r(v). 

Since the protocol is optimistic, there exists a vertex assigned to signer 
r{v) such that v' G EndSet{'P). Since v ^ EndSet{V), it follows that v' is 
not causally related to v. By the remark preceding Lemma[^ there exists 
a common ancestor v" or v and v' and v, v', v" satisfy the hypothesis of 
the Lemma. Thus there exists a vertex w causally preceding v such that 
seq(I,w) contains all permutations of signers in A\ {r'(z))} and therefore 
seq(/, v) contains all such permutations. 

2. There are causally unrelated vertices of signer r(y) from which signatures 
are sent. 

Let v' ^ V he such a vertex. By Equation in Section [A4| there is a vertex 
w assigned to signer r{v) which causally precedes all vertices of r{v) which 
are in SigSet{P). Let v" be a maximal such vertex, i.e. for any vertex w' 
assigned to signer r{v), there exists a vertex in SigSet{V) of signer r(v) which 
does not causally follow v”. 

Since the protocol is optimistic, for every signer P in the protocol, there 
exists a vertex w”, r{w") = P which causally follows v”. 

Then the vertices v,v', v" satisfy the hypothesis of Lemma[^ thus there exists 
a vertex w causally preceding v such that seq(/, w) contains all permutations 
of signers in A\{r(z))} and therefore seq(/, v) contains all such permutations. 

Proof (of Theorem^. Suppose that the protocol is not fair. Consider a short¬ 
est AC sequence, (ui,...,u;|_), r{vi) = r{v). Since the sequence is a shortest 
sequence, we have that V 2 ^ InitSet{V), else {v 2 , ■ ■ ■ ,vi\f) would be a shorter AC 
sequence. Consider the permutation of signers (Pi, ... ,Pi) corresponding to the 
AC sequence, i.e. Pi = r{vi). 

Let wi be the unique vertex in 

minset({r(; G SigSetfP) \ r{w) = r{vi)}). 

Existence of a vertex in the set follows from the fact that the protocol is opti¬ 
mistic, uniqueness follows from the fact that there is no in-role parallelism, i.e. 
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the vertices assigned to a particular signer are totally ordered. By hypothesis, 
the set of paths from I to wi contains all permutations of signers {r(u)}. Let 
Ui,... ,ui be the vertices associated with one such permutation. Note that either 
ui G I or we can find u'^ G I, u[ -< ui and r{u[) = ui. Thus we may assume 
ui G I. We have ui < wi ^ vi. We also have wi -< u/_i ^ u/, else conditionfor 
(ui,..., Ui I _) being an AC sequence (Definition would be violated. 

Thus we have ui ^ wi ^ u/_i ^ vi. This forms the basis for the inductively 
constructed sequence wi,... ,wf. Given Wi+i,..., wi, satisfying Ui+i ^ Wi+i ^ 
Vi -< Ui+i, let Wi be the unique vertex in maxset({i(; ^ lUi+i | r(w) = r(ui)}). 
Existence of a vertex in the set follows from Ui -< ^ tUi+i and uniqueness 

follows from the lack of in-role parallelism. By construction, Ui ^ Wi ^ Vi. If 
i > 1, then we also have Ui ^ Wi ^ Vi-i -< Vi, else condition I for (ui,... ,Ui|_) 
being an AC sequence (Definition [I^ would be violated. 

Thus, we have constructed a sequence Wi,... ,wi satisfying ui < Wi ^ W 2 ^ 
vi -< V 2 . This is not possible, since r{ui) = r{vi) and ui ^ vi G InitSet{V), 
contradicting ui € I. 

Lemma 4. Let G = (V, E) he the DAG of a fair optimistic DAG MFCS protocol 
for two or more signers. Let G' = {V',E'), where V = V \ {ut} and E' = 
E\{{v^w) G E \ V = vtM w = ut}, he the DAG obtained hy removing the TTP 
vertex and corresponding edges. Then G' is a single connected component. 

Proof. Suppose there are more than one connected components in G'. Let v G 
SigSet{V) be a causally earliest vertex from which a signature is sent, i.e. Vru € 
V ■. w <v => w ^ SigSet{V). 

Let w be a vertex in the InitSet{V) of a different connected component than 
V. We have two cases: 


— r(w) = r{v). Then {w\v) is an AC sequence. 

— r{w) yf r(u). Let u' be a vertex such that r{v) = r{v') and v' ^ v. Such a 
vertex exists, because the protocol is optimistic, thus there must be a vertex 
of signer r{v) receiving a signature. But such a vertex cannot precede v, 
because u is a causally earliest vertex from which a signature is sent. 
Consider two cases: 

• w -f. v''. Then {w.,v'\v) is an AC sequence. 

• w ^ v': Then w and v' are in the same connected component and v is 
in another connected component. If u' ^ InitSet{'P), then let v” -< v' be 
such that r{v') = r{v") and v" G InitSet{V). Else let v" = v'. 

Then (u"|u) is an AC sequence. 


Proof (of Theorem^. The minimal message complexity has been derived for 
optimistic fair linear protocols in 10 15 . Since these protocols are a subset of 


DAG MFCS protocols we see that the same message complexity can be attained. 
We need to show that there are no optimistic DAG MFCS protocols with lower 
message complexity. By Theorem every permutation of signers in the protocol 
must occur as a subsequence in the set of paths from a maximal vertex of the 
set of vertices of a signer in the initial set to a vertex in the signing set. 
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Consider any fair optimistic DAG MFCS protocol V = {V,E,r,fi,6). Con¬ 
struct a linear DAG (F, E') by choosing any topologically sorted list (ui,..., Vk) 
of the vertices in [V, E) and setting E' = {(ui, Ui+i)|l < i < k}. Since all permu¬ 
tations of signers occur along the paths in the DAG (V, E) under the labelling 
r :V ^ A, they also occur in the topologically sorted list (ui,..., Ufe) under the 
same labelling. Since the DAG is a single connected component by Lemma 
the number of edges in E' is smaller or equal to the number of edges in E. Thus 
the message complexity of V is greater than or equal to the message complexity 
of a protocol based on the linear DAG {V,E'). 


The specihc numbers for message complexity follow from 10,18 
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